Secure SaaS without passwords, via Secure Cloudlink

UK-based startup Secure Cloudlink (headquartered in Leatherhead, Surrey) has a unique and US-patented product that eliminates the use of passwords and is designed to secure cloud / SaaS applications.

With Secure Cloudlink, each user is uniquely identified and authenticated, but as no user credentials are stored or replicated behind the scenes the risks of security breaches due to password interception or hacking are eliminated. The technology also eliminates the time costs involved in resetting passwords.

“Security is regularly cited by end user organisations as an objection to Cloud, so it should come as little surprise that it recently topped the list of end users’ concerns in recent research from the Cloud Industry Forum. According to the research 61% of end user organisations questioned stated that security was a significant concern in the adoption of Cloud services within their organisation.”

Password and identity sharing is also difficult to monitor and manage for SaaS application providers and end user organisations, and adds to costs. According to the Gartner report ‘Design IT Self Service for the Business Consumer,’ password resets account for as much as 40% of IT service desk contact value.

Although some organisations are investing in technology to automate password resets to reduce the number of calls, user credentials still persist, exposing the organisation to the threat of cyber attack. At Secure Cloudlink our approach is to eliminate the passwords and streamline the granting of access to applications, IT resources and on-line services.”

Conventional SSO (single-sign-on) password management and biometric recognition systems remove passwords from the user perspective, but, behind the scenes, user credentials are still stored, transmitted and replicated. This can make them prone to ‘man-in-the-middle attack’ (Wikipedia) or interception.

Secure Cloudlink provides anonymised authentication to SaaS, cloud or on-premise applications without storing, replicating or transmitting passwords anywhere outside of the directory services. Using a patented token security system that operates without the use of passwords, Secure Cloudlink – SaaS Providers Edition (a slightly clunky name!) includes a SSO service and optional biometric or multi-factor user authentication to improve the end user experience. Network users can securely access multiple cloud services wthout even appearing to have left the corporate network.

Company founder Dave Worrall told me the solution had been in development since the mid-2000s, and in the past three years had been rolled out in several early adopter customers.

“We have been on a journey with these customers. Companies might start with authenticating one or more mobile apps, then look at their Active Directory, and then some desktop client applications. We have learned a lot from these deployments – in government, with SaaS providers, and in financial institutions – working with companies with over 60,000 IT users, operating in B2C and B2B markets. In these organisations, password resetting is quickly a thing of the past.

“We provide an easy way for an organisation to switch rapidly from one method of authentication reliant on passwords to one in which no passwords are transmitted or stored on any devices. We have also been looking at how we can make our solution attractive to end-users. Some education is necessary to ensure end-user confidence, but then we want to make it easy for them to onboard.”

Reaction

As Keats says, security has long been the main concern (often an objection) for potential Cloud customers and end-users, and ever since the advent of SaaS tools (or application service provision, as it was previously known) in the mid-late 1990s, SaaS vendors have had to educate the market about their security provisions. Working for a SaaS construction collaboration software vendor in the early 2000s, I wrote various briefing sheets and white papers outlining both the physical and digital precautions taken to safeguard the platform, associated data, and user interactions with them.

Passwords and SSL encryption became standard measures. Hosting on systems carrying BS7799 (later ISO27001) accreditation also offered an early marketing edge but gradually became the norm (achieved by, among others, BIW in 2006, Cadweb in 2007, Aconex in 2011, Kykloud in 2013, and think project! in 2014). But some organisations demanded more – for example, two-factor authentication using USB device RSA tokens has been an additional option offered by Conject and think project! (post). And customer and end-user security expectations are also influenced by advances in authentication provided by banks and other services, and by new hardware provisions such as mobile fingerprint or voice authentication.

For the SaaS vendors, Secure CloudLink technology potentially not only eliminates the need for user password management but also eliminates password sharing. This practice has a direct impact on revenues if vendors are charging per user (as some SaaS construction collaboration vendors do – others operate per-project or enterprise licensing approaches).

More importantly, password sharing also undermines compliance regimes, so Secure CloudLink can provide assurance that a SaaS platform user is a known and authorised individual, helping ensure an accurate audit trail of user access and interaction – vital in many highly regulated industries. (And as an additional incentive, Secure Cloudlink also has a referral program with the opportunity for SaaS vendors to earn incremental revenues!)

2 comments

This “without password security” did intrigue me. I was first skeptical and asked myself “How is it possible?” Anyway, reading through this brief article of yours somehow gave me answers. Biometrics indeed is a brilliant idea. This way you could be sure that the ones who have access to such SaaS/Cloud application are only those that are authorized. Another great innovation for data privacy and security. Congratulations on this brilliant idea!

Interesting proposition, especially for the AEC sector. It looks like they have packaged up a number of elements rather nicely, albeit there doesn’t appear to be anything new. Notably the comment in the video about federation being inherently open to man-in-the-middle attacks is wrong – assuming that best practice is followed (i.e. decent encryption and using a Channel Binding Token (CBT)). Seems to me that they are using Microsoft ADFS, leveraging the CBT method, packaging some biometric options for the authentication and integrating some reporting and alerting options. All good, but nothing really new. While margins are low (which they are in construction) then the use of standard patterns of federation (e.g. Microsoft ADFS with CBT etc.) are probably a cheaper option, even if you take this as a service from a third party. Hopefully this at least serves to raise awareness of some key information security challenges.